As usage of computers and the Internet has increased exponentially in recent years, computer viruses, data leaks, network outages, and other results of cyber-attacks have become incredibly significant. These results can yield a wide variety of harmful effects, from user inconvenience to significant financial or physical damage. Enterprises often rely on computer systems for daily transactions and to store sensitive or otherwise potentially valuable information. Such systems and information are key targets for malicious cyber activity. The harmful effects are amplified as the size of the target's computer networks and systems increase. To combat cyber-attacks, these organizations deploy cyber security systems for detecting and mitigating potential cyber-attacks.
Due to the vast array of types of cyber-attacks, cyber security systems and, in particular, cyber security systems of large organizations, include increasing numbers of security controls from a multitude of sources for responding to threats. Each of these controls may be focused on a different aspect of an organization's security and may generate a variety of alerts related to potential security threats. To manage potential security threats, solutions for security information and event management (SIEM) have been developed. SIEM solutions attempt to provide real-time analysis of security alerts including, for example, logs of security events representing potentially malicious activity.
Existing SIEM solutions face challenges in utilizing security alert information to aid in identification and mitigation of ongoing threats. In particular, some existing solutions provide information regarding each generated security alert in a log format. These existing solutions typically result in overly cumbersome amounts of data to be analyzed manually by cyber security experts. The large amounts of data (typically thousands of events are generated daily in a small business origination) often prominently feature massive amounts of false positives. Therefore, security alerts related to true malicious activity may not be given appropriate attention, and security experts may fail to properly address the malicious activity.
To organize the vast amounts of information provided by SIEM systems and the like, some existing solutions utilize static rules for aggregating data related to security alerts from different security systems and for organizing the aggregated data. As such, the existing solutions nevertheless fail to provide truly appropriate responses to ongoing threats because they lack flexibility in organizing the data. Furthermore, existing solutions fail to process the events to extract only meaningful information and display of such information in intuitive way to users, such as cyber security experts. This drawback may result in data that still includes numerous false positives and does not provide complete information regarding true security threats to cyber security experts.
It would therefore be advantageous to provide a solution that would overcome the deficiencies of the prior art.